CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2026-42826

CVSS 10.0v3.1pub. 2026-05-07upd. 2026-05-08

Exposure of sensitive information to an unauthorized actor in Azure DevOps allows an unauthorized attacker to disclose information over a network.

🤖 AI Analysis
How it works

The vulnerability classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) involves improper access control to protected resources or data in the Azure DevOps service. An attacker without any permissions can send a specially crafted request over the network and gain access to information that should be available only to authorized users. The vulnerability does not require user interaction, and its scope extends beyond the originally attacked component (Scope: Changed).

Impact

An attacker can remotely and without authentication disclose sensitive information stored or processed by Azure DevOps, which may include project data, source code, pipeline configurations, tokens, or other confidential organizational resources. Leakage of such data may lead to further attacks on IT infrastructure.

Mitigation & patch

Patches available from the vendor should be applied according to references — details regarding updates are published in the Microsoft Security Response Center at: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42826

Who is affected

Microsoft Azure DevOps — versions indicated in vendor references (Microsoft Security Response Center)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Microsoft Azure Devops

    APP
    Microsoft
    wszystkie wersje
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
CWE
References

Related vulnerabilities

CVE-2025-47158CRITICAL9.0PL ✓ten sam produkt

Authentication Bypass w Azure DevOps — eskalacja uprawnień przez sieć

CVE-2025-29813CRITICAL10.0PL ✓ten sam produkt

Pominięcie uwierzytelnienia w Azure DevOps — eskalacja uprawnień przez sieć

CVE-2026-23658HIGH8.6ten sam produkt

Insufficiently protected credentials in Azure DevOps allows an unauthorized attacker to elevate privileges ove...

CVE-2026-8398CRITICAL9.3⚠ KEVPL ✓ten sam vendor

Atak na łańcuch dostaw DAEMON Tools Lite — trojanizacja instalatorów

CVE-2026-20963CRITICAL9.8⚠ KEVPL ✓ten sam vendor

RCE przez deserializację niezaufanych danych w Microsoft SharePoint Server